Alerts and legal analysis of legislative trends

Global News Roundup

In this Privacy Tracker legislative roundup, read about privacy concerns related to Brazil’s proposed Internet privacy law and one Turkey’s president recently signed into law, and get some insight on complying with South Africa’s new law. In the U.S., states are moving along bills to prevent revenge porn in Illinois and protect readers’ privacy in New Jersey and student privacy in Wyoming and Kansas, among others. Also, the Massachusetts Supreme Court has determined that police need to get a warrant in order to collect cellphone location data over a period of time.

Latest News

Amendments to Brazil’s Proposed Internet Privacy Law May Jeopardize PrivacyActivists have launched an online campaign aimed at removing one of the recent amendments to Brazil’s Internet bill of rights that is expected to be voted on by Congress at the end of the month. Global Voices reports that the amendments put net neutrality and user privacy in jeopardy, citing specifically Article 16, which requires service providers to retain personal data of consumers.

Turkish President Signs Internet Law Turkish President Abdullah Gul has signed a law giving the government the power to monitor Internet activity and block content it deems illegal or to be "violating privacy" of a person, The Wall Street Journal reports. The law also requires Internet providers to retain records on users for two years. While the prime minister argues the change will protect privacy and further democracy, critics say it is an attempt to squash freedom of speech in advance of the upcoming elections. (Registration may be required to access this story.)

Complying with South Africa’s New Privacy LawsITWeb explores South Africa’s Protection of Personal Information Act (POPI), which was signed into law last November but has yet to come into practice. "Once a commencement date is announced, companies will only have one year to get their houses in order," according to Accenture’s security practice lead. The law has brought the country in line with international data privacy laws and is based on the EU directive.

Franken To Reintroduce Geolocation Privacy BillU.S. Sen. Al Franken (D-MN) has announced plans to reintroduce the Location Privacy Protection Act, which would require express consent in order for nongovernment entities to obtain geolocation information from an electronic communication device, among other provisions. Inside Privacy reports that the bill would apply to a range of businesses that interact with customers’ geolocation data and would allow enforcement by the federal attorney general, state attorneys general and private citizens.

Illinois Senate Committee Passes Revenge Porn Bill An Illinois Senate committee has unanimously passed a bill that would make it a felony to post sexual material of others on the Internet without consent and to use that material for blackmail purposes, reports the Associated Press. The American Civil Liberties Union of Illinois is concerned the measure is too broad and may restrict free speech.

Indiana Senate Committee Passes Digital Privacy Bill An Indiana Senate Committee has unanimously passed HB 1009, which would limit law enforcement’s use of drones, GPS tracking and cellphone searches as well as set new rules for citizens’ use of surveillance technologies, reports TheStatehouse File.

Kansas Student Privacy Bill Gains School Board Assoc. SupportThe Topeka Capital-Journal reports that the Kansas Association of School Boards has put its support behind a bill that would restrict the sharing of student data and collection of biometrics, codifying the Department of Education’s practices. SB 367 would prevent data sharing with other state agencies in the absence of data-sharing agreements, which causes concern for the state’s epidemiologist, who says it could have unintended consequences for public health.

Massachusetts Supreme Court Rules Warrant Needed for Cell Location Data The Massachusetts Supreme Judicial Court has ruled that police must obtain a warrant prior to collecting cellphone location data. The court ruled 5-2 against prosecutors, deciding that obtaining cell-site location information over a two-week period “without a warrant based on probable cause was an invasion of privacy and a violation of the state Declaration of Rights,” reports the Associated Press. The decision “says that people can have a constitutionally protected privacy interest in information about them even if that information is in the hands of a third-party service provider like their cellphone company,” said Matthew Segal, legal director for the American Civil Liberties Union of Massachusetts.

New Jersey Assembly Committee Passes Reader Privacy Act The New Jersey Assembly Consumer Affairs Committee has unanimously recommended passage of the Reader Privacy Act, reports The New Jersey Law Journal. The law would require police to obtain a judge's approval before collecting information about a person's book and e-book purchase history and prevent sellers from sharing the information with third parties. If passed, the state would become the third in the nation to have such a law.

Rhode Island Considers Social Media Privacy BillThe Rhode Island Legislature is considering a bill that would prohibit employers and schools from penalizing employees or students for refusing to hand over social media information or compelling them to do so, reports The Brown Daily Herald. Senate Majority Leader Dominick Ruggerio (D-Providence and North Providence) and Rep. Brian Patrick Kennedy (D-Hopkinton and Westerly) proposed the legislation, with Ruggerio noting, “The term ‘social media’ does not mean everything associated with a person’s online presence is automatically public, and it is not a license for an employer or school to pry into private material,” according to a press release.

Wisconsin Senate Passes Drone Bill The Wisconsin Senate passed a bill that would limit police and others’ use of drones, including barring drones with cameras and weapons, reports the Milwaukee-Wisconsin Journal Sentinel. Under the bill, police would need a warrant to use data collected by drones unless in public, and the bill would ban private individuals from using drones to record others where they would have a reasonable expectation of privacy. While civil rights advocates say drones pose a threat to privacy, drone industry groups are concerned that drone privacy bills will hamper the benefits of drones.

Wyoming Student Privacy Bill Heads to House Floor The Wyoming House Judiciary Committee passed a bill requiring parental consent before collecting children’s personal and education data, but first it amended the bill to state that only data collected by the state Department of Education would require the consent, reports the Associated Press. HB 179 passed with a 7-2 vote. Rep. Lynn Hutchings (R-Cheyenne) said the bill would allow parents “to be able to see exactly what's going on, what the education system is asking for and truly get involved by saying each year, 'Yes, I agree that you can collect this data or not.'" The bill will now go to debate on the House floor.

U.S.

Cline: U.S. Leads World in Privacy Violation FinesJay Cline, CIPP/US, writes for Computerworld on EU leaders’ belief that the U.S. has not adequately enforced the EU-U.S. Safe Harbor agreement, citing research showing that is not the case. “Any way you cut the data,” Cline writes, “the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.” Cline’s report looks at the history of Safe Harbor, highlighting his team’s research on fines of $100,000 or more imposed by government agencies for privacy violations. “We also set out to rank-order the top privacy fines in history,” he writes. “When we did this, the U.S. dominated the leader board.”Full Story

AGs Want State Breach Laws Kept on BooksGiven that there is no federal law regulating data breaches, most states have created their own rules on data breach disclosures. And state attorneys general (AGs) are interested in keeping it that way, Politico reports. While a federal baseline law would be welcome, the report notes that state AGs want to keep their laws in place. “States have been the leaders, the cops on the beat defining what is reasonable and not reasonable for their own states and heading up investigations on data breach cases for as long as there have been such things,” said Maryland Attorney General Doug Gansler. “It’s almost always a local issue. … We actually get things done.” Editor's Note: Divonne Smoyer, CIPP/US, and Aaron Lancaster, CIPP/US, recently examined the privacy protection efforts of AGs in the Privacy Perspectives post, “Think the FTC Is the De Facto U.S. Data Protection Authority? State AGs May Have Something To Say.”Full Story

Indian Gov't Plans To Create DPA, Give Citizens Privacy RightsThe government plans to grant all residents a right to privacy and establish a data protection authority (DPA) to rule on issues involving privacy and impose penalties for violations, The Economic Times reports. Under the draft “Right to Privacy” bill, the DPA will investigate data breaches and issue orders to protect those affected. The draft bill also prohibits “covert surveillance of individuals which leads to breach of their privacy, unless authorized by law.” Exemptions to the bill have been proposed for national safety or security and maintenance of public order.Full Story

Bill Would Restrict Use, Collection of Student DataCalifornia Sen. Darrell Steinberg (D-Sacramento) will today introduce a bill aimed at protecting student data, The New York Times reports. “The bill would prohibit education-related websites, online services and mobile apps for K-12 graders from compiling, using or sharing the personal information of those students in California for any reason other than what the school intended or for product maintenance,” the report states. A growing chorus of lawmakers believes laws on student data have been unable to keep pace with technological innovations. Steinberg said he doesn’t want to limit legitimate use of student data but believes the data should be used for “educational benefit and nothing else.” (Registration may be required to access this story.)Full Story

Court: Facebook Must Comply with Data Protection LawThe Higher Court of Berlin has ruled Facebook must comply with German data protection law, PCWorld reports. However, that decision, which confirms a 2012 decision finding the social network’s “Friend Finder” violated the country’s law, has “directly contradicted an earlier decision by another court,” the report states, citing a verdict of the Administrative Court of Appeals of the State of Schleswig-Holstein. The Higher Court of Berlin also found portions of Facebook’s privacy policy and terms of service violate the law. The Federation of German Consumer Organisations, or VZBV, called the decision “a milestone for data protection in the Facebook era.”Full Story

CANADA

Experts Examine Next Step for Alberta's PIPA In a Mondaq report, James Bond, Robert W. Pakrul and Eileen Vanderburgh look back at the November decision by the Supreme Court that Alberta's Personal Information Protection Act (PIPA) is unconstitutional and consider what will come next. “Varying degrees of scope of amendment could possibly be advanced to deal with the constitutional issues arising from PIPA's structure, which establishes a broad prohibition against any information collection, use or disclosure absent consent,” they write. Alberta Information and Privacy Commissioner Jill Clayton’s recommendation is “that the most appropriate scope of change is the narrowest one,” they write, citing her desire to “would preserve the delicate balance between freedom of expression rights, and legitimate privacy expectations of individuals, which PIPA is designed to protect.”Full Story

Court Generates List of Factors for Metadata Cases Mondaq reports on a recent Nova Scotia Court of Appeal case on “questions of relevance, proportionality and privacy in the context of whether or not to order the production of electronic information.” Laushway v. Messervey resulted in a court order requiring a plaintiff to produce a hard drive containing metadata for forensic review, and the court has created “a list of factors for judges to consider when deciding whether to grant a production order in similar circumstances,” the report states. Among the factors the court recommends in its list are privacy, balancing, objectivity, discoverability and reliability.Full Story

EU

On Leveraging Big Data While Complying with LawThe Big Data Project (BDP), an Open University study, is looking into how organizations can leverage Big Data while complying with EU data protection principles. In this post for Privacy Perspectives, Sara Degli Esposti, a research fellow at the Open University Business School, discusses the study, asking, “What kind of legislation do we need to create that positive system of incentive for organizations to innovate in the privacy field?” The BDP “represents a chance for you to contribute,” she writes, “and learn about, the debate on the reform of the EU Data Protection Directive.” The BDP is open to employees concerned with data management or use “from all types of organizations … with interests in Europe.”Full Story

German Court: Facebook Must Comply with Data Protection LawThe Higher Court of Berlin has ruled Facebook must comply with German data protection law, PCWorld reports. However, that decision, which confirms a 2012 decision finding the social network’s “Friend Finder” violated the country’s law, has “directly contradicted an earlier decision by another court,” the report states, citing a verdict of the Administrative Court of Appeals of the State of Schleswig-Holstein. The Higher Court of Berlin also found portions of Facebook’s privacy policy and terms of service violate the law. The Federation of German Consumer Organisations, or VZBV, called the decision “a milestone for data protection in the Facebook era.”Full Story

Dutch Law Enforcement Calls for ImprovementsDutch law enforcement officials want improvements in how communications data is collected and stored, Telecompaper reports, citing a justice ministry evaluation of The Netherlands’ data retention law. “Law enforcement officials that participated in the evaluation called for an expansion of the retention period for the data to a full 12 months, as well as an end to distinctions between telephony and Internet data,” the report states, noting, “For mobile calls, they also want not only the time when the call started recorded but also the time it ended.”Full Story

Swedish Telecom Privacy Rules Go Into Effect in SeptemberPTS, Sweden’s postal and telecoms regulator, is establishing requirements for telecoms operators to protect their customers' personal information and communications, Telecompaper reports. “Among other things, the new regulations deal with the question of who is allowed to access and handle customer information. PTS said only people with the correct training and who need the information in order to carry out their work will be able to access sensitive details about customers and their communications,” the report states. The regulations are scheduled to go into effect on 1 September.Full Story

ASIA PACIFIC

Hong Kong PCPD Releases Guidance on Privacy-Management ProgramsThe Office of the Privacy Commissioner for Personal Data (PCPD) has released a guide outlining the foundations of privacy management programs. The Privacy Advisor takes a closer look at the guide, aimed at helping organizations as they develop or improve programs. The South China Morning Postreports from the PCPD’s event, spotlighting how privacy scandals, such as the much-publicized Octopus incident, can result in businesses choosing “to reconsider their approach to data protection.” Octopus Holdings Chief Executive Sunny Cheung said, "Legal rights do not save you from dissatisfied customers," explaining the company now collects “minimal” personal data and avoids “vague terms that could mislead customers about data policies,” the report states. Editor’s Note: PCPD Allan Chiang will be one of the keynote speakers at The IAPP Asia Privacy Forum in Hong Kong on March 31.Full Story

South Korea’sFSS Announcing New MeasuresSouth Korea’s Financial Supervisory Service (FSS) is preparing to announce measures to “better protect personal information (PI) handled by financial firms following a recent massive data leak,” Yonhap News Agency reports. The measures include limiting financial firms from requesting "too much" PI. “The newly crafted measures may go into effect starting in April after preparation works,” said an FSS official. The breach that prompted the measures involved PI on “half of the country's 50-million population” from three credit card firms—KB Kookmin, NH Nonghyup and Lotte— and Kookmin Bank.Full Story

Written By

Emily Leach, CIPP/US

0 Comments

If you want to comment on this post, you need to login

Related

In the third installment of this series looking at monitoring programs across industries, including healthcare, IT, finance, government and telecom, Deidre Rodriguez, CIPP/US, talks with JC Cannon, CIPP/US, CIPT, about monitoring a privacy program in the IT industry. "Having comprehensive rules, training and procedures in place are not as important during an audit as being able to prove that they are working," Cannon says. Cannon provides tips for those developing monitoring programs and highlig...
Read more

Despite the controversy surrounding the Federal Communications Commission’s (FCC’s) Net Neutrality Order, “it is consistent with several decades of FCC efforts to regulate facilities-based transmission providers in order to protect competition,” writes William Baker, CIPP/US, who has participated in many an FCC proceeding. In this first of a two-part series for Privacy Tracker, Baker outlines the important aspects of the Net Neutrality Order and talks about the FCC’s history in regulating inform...
Read more

The Federal Communications Commission (FCC) is poised to craft new rules that could limit broadband providers’ ability to share information about users’ web activity with advertisers, MediaPost reports. The FCC’s Wireline Competition and Consumer & Governmental Affairs Bureaus will convene a workshop on the privacy rights of broadband users on April 28 in Washington, DC. The FCC said the 2015 Open Internet Order applies Section 222 of the Communications Act to broadband carriers, and has not...
Read more

According to the Network Advertising Initiative (NAI) annual compliance report released Monday, all 92 of its members “substantially complied” with the NAI’s consumer privacy code in 2014, KatyontheHill reports. The code requires ad networks to post data collection and retention practices and give consumers the option to opt out of tracking. The NAI says the minor code violations were unintentional and were “resolved quickly.” The ad network industry considers self-regulatory programs like this ...
Read more

Tribune News Service reports that New Mexico will not become the newest U.S. state with a data breach notification law after the Senate Judiciary Committee twice voted not to send the proposed bill to the floor. New Mexico is currently one of three U.S. states without data breach laws. The state’s House had unanimously approved the bill in February, and another state Senate committee also unanimously approved it earlier in March. The bill’s sponsor, Rep. William Rehm (R-Albuquerque), said, “The ...
Read more

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.Learn more

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.